Check out this blog: http://perezbox.com/2013/07/ossec-detecting-new-files-understanding-how-it-works/
Pay attention to the part: "REAL TIME VS ALERT ON NEW". Regards, Jesus Linares. On Thursday, March 31, 2016 at 9:08:37 PM UTC+2, [email protected] wrote: > > I followed the instructions to how to set up alert for add new file as > follows: > > <rule id="554" level="10" overwrite="yes"> > <category>ossec</category> > <decoded_as>syscheck_new_entry</decoded_as> > <description>File added to the system.</description> > <group>syscheck,</group></rule> > > > and > > <syscheck> > <frequency>7200</frequency> > <alert_new_files>yes</alert_new_files> > <directories check_all="yes">/etc,/bin,/sbin</directories></syscheck> > > > But it never works. I can not get alerts even I restart the agent and > manager. Could any one help me with this, thanks > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
